Skip site navigation (1) Skip section navigation (2)

pgsql: Ignore SECURITY DEFINER and SET attributes for a PL's callhandl

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-committers(at)postgresql(dot)org
Subject: pgsql: Ignore SECURITY DEFINER and SET attributes for a PL's callhandl
Date: 2012-05-31 03:29:06
Message-ID: (view raw or whole thread)
Lists: pgsql-committers
Ignore SECURITY DEFINER and SET attributes for a PL's call handler.

It's not very sensible to set such attributes on a handler function;
but if one were to do so, fmgr.c went into infinite recursion because
it would call fmgr_security_definer instead of the handler function proper.
There is no way for fmgr_security_definer to know that it ought to call the
handler and not the original function referenced by the FmgrInfo's fn_oid,
so it tries to do the latter, causing the whole process to start over

Ordinarily such misconfiguration of a procedural language's handler could
be written off as superuser error.  However, because we allow non-superuser
database owners to create procedural languages and the handler for such a
language becomes owned by the database owner, it is possible for a database
owner to crash the backend, which ideally shouldn't be possible without
superuser privileges.  In 9.2 and up we will adjust things so that the
handler functions are always owned by superusers, but in existing branches
this is a minor security fix.

Problem noted by Noah Misch (after several of us had failed to detect
it :-().  This is CVE-2012-2655.



Modified Files
src/backend/utils/fmgr/fmgr.c |   16 +++++++++++-----
1 files changed, 11 insertions(+), 5 deletions(-)

pgsql-committers by date

Next:From: Tom LaneDate: 2012-05-31 03:48:10
Subject: pgsql: Force PL and range-type support functions to be owned by asuper
Previous:From: Tom LaneDate: 2012-05-30 23:59:30
Subject: pgsql: Expand the allowed range of timezone offsets to +/-15:59:59from

Privacy Policy | About PostgreSQL
Copyright © 1996-2015 The PostgreSQL Global Development Group